CIS hardening of alpine based docker container

I’ve got a service running inside a docker container. I’ve built my own image based on nginx:stable-alpine docker image.

I am trying to ascertain whether the concept of CIS hardening applies to the container itself or just the host OS where the container is running. (I am not interested in the host itself as that is already CIS hardened by the hosting provider)

Had a couple of suggestions such as https://github.com/docker/docker-bench-security and https://github.com/dev-sec/cis-docker-benchmark but these again only seem to apply to the Host OS where docker is running. the nginx alpine image does for example contain some sample confs and html which should be removed according to CIS hardening rules.

Are there any scripts or tools i can run that can report on whether there are other aspects of the container that need to be hardened in the Dockerfile to ensure the container is CIS compliant? ideally i’d like to avoid having to prove every point in the CIS hardening spec manually. I have found this but its 3 years old script and i cant be confident that its maintained.

Debian 9 file system CIS-CAT hardening issues

I’m performing a CIS-CAT scan and I’m questioning the results of the scanner being poorly designed. Now I am running on Debian 9 which isn’t officially supported by the scanner but I can get it to run and I’ve implemented 95% of their requirements and can successfully scan using the following command:

sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv 

/bin has permissions of drwxr-x–x and they want me to remove execute for other, however if I "chmod o-x /bin" then a regular user cannot execute standard commands like "ls" Is there a different approach to this?

Same thing with the following: /dev /var/cache/man /run/systemd /run/dbus /run/sshd 

which have permissions of drwxr-xr-x. CIS-CAT wants me to remove other read and execute but it’s permissions get reset on reboot.